x-authelia-env: &authelia-env
  X_AUTHELIA_EMAIL: authelia@nixc.us
  X_AUTHELIA_SITE_NAME: ATLAS
  X_AUTHELIA_CONFIG_FILTERS: template
  X_AUTHELIA_LDAP_DOMAIN: dc=nixc,dc=us
  TRAEFIK_DOMAIN: nixc.us

secrets:
  AUTHENTICATION_BACKEND_LDAP_PASSWORD:
    external: true
  IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET:
    external: true
  IDENTITY_PROVIDERS_OIDC_HMAC_SECRET:
    external: true
  IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY:
    external: true
  IDENTITY_PROVIDERS_OIDC_JWKS_KEY:
    external: true
  NOTIFIER_SMTP_PASSWORD:
    external: true
  SESSION_SECRET:
    external: true
  STORAGE_ENCRYPTION_KEY:
    external: true
  CLIENT_SECRET_HEADSCALE:
    external: true
  CLIENT_SECRET_HEADADMIN:
    external: true

networks:
  default:
    driver: overlay
  traefik:
    external: true
  ad:
    external: true

volumes:
  authelia_config:
    driver: local
  authelia_assets:
    driver: local
  authelia_redis_data:
    driver: local
  authelia_mariadb_data:
    driver: local

services:
  authelia:
    image: git.nixc.us/nixius/authelia:production-authelia
    command:
      - authelia
      - --config=/config/configuration.server.yml
      - --config=/config/configuration.ldap.yml
      - --config=/config/configuration.acl.yml
      - --config=/config/configuration.identity.providers.yml
      - --config=/config/configuration.oidc.clients.yml
    secrets:
      - AUTHENTICATION_BACKEND_LDAP_PASSWORD
      - IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
      - IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
      - IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
      - IDENTITY_PROVIDERS_OIDC_JWKS_KEY
      - NOTIFIER_SMTP_PASSWORD
      - SESSION_SECRET
      - STORAGE_ENCRYPTION_KEY
      - CLIENT_SECRET_HEADSCALE
      - CLIENT_SECRET_HEADADMIN
    environment: *authelia-env
    dns:
      - 1.1.1.1 # Cloudflare
      - 9.9.9.9 # Quad9
    volumes:
      - authelia_config:/config:rw
      - authelia_assets:/config/assets:rw
    networks:
      - traefik
      - default
      - ad
    deploy:
      update_config:
        order: start-first
        failure_action: rollback
        parallelism: 1
      restart_policy:
        condition: on-failure
      replicas: 1
      placement:
        constraints:
          - node.hostname == ingress.nixc.us
      labels:
        us.nixc.autodeploy: "true"
        homepage.group: Infrastructure
        homepage.name: Authelia
        homepage.href: https://login.nixc.us
        homepage.description: ATLAS
        traefik.enable: "true"
        traefik.docker.network: traefik
        traefik.http.routers.authelia_authelia.rule: Host(`login.nixc.us`)
        traefik.http.routers.authelia_authelia.entrypoints: websecure
        traefik.http.routers.authelia_authelia.tls: "true"
        traefik.http.routers.authelia_authelia.tls.certresolver: letsencryptresolver
        traefik.http.routers.authelia_authelia.service: authelia_authelia
        traefik.http.services.authelia_authelia.loadbalancer.server.port: 9091
        traefik.http.middlewares.authelia_authelia.forwardauth.address: http://authelia_authelia:9091/api/verify?rd=https://login.nixc.us/
        traefik.http.middlewares.authelia_authelia.forwardauth.trustForwardHeader: "true"
        traefik.http.middlewares.authelia_authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
        traefik.http.middlewares.authelia-basic.forwardauth.address: http://authelia_authelia:9091/api/verify?auth=basic
        traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader: "true"
        traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:9091/api/health"]
      start_period: 15s
      interval: 30s
      timeout: 10s
      retries: 3
    logging:
      driver: json-file
      options:
        max-size: 10m
        max-file: "3"

  redis:
    image: git.nixc.us/nixius/authelia:production-redis
    command: redis-server --appendonly yes
    volumes:
      - authelia_redis_data:/data:rw
    networks:
      - default
    deploy:
      update_config:
        order: start-first
        failure_action: rollback
        parallelism: 1
      restart_policy:
        condition: on-failure
      replicas: 1
      placement:
        constraints:
          - node.hostname == ingress.nixc.us
      labels:
        us.nixc.autodeploy: "true"
        traefik.enable: "false"
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      start_period: 10s
      interval: 30s
      timeout: 5s
      retries: 3
    logging:
      driver: json-file
      options:
        max-size: 10m
        max-file: "3"

  mariadb:
    image: git.nixc.us/nixius/authelia:production-mariadb
    environment:
      MYSQL_ROOT_PASSWORD: authelia
      MYSQL_DATABASE: authelia
      MYSQL_USER: authelia
      MYSQL_PASSWORD: authelia
    volumes:
      - authelia_mariadb_data:/var/lib/mysql:rw
    networks:
      - default
    deploy:
      update_config:
        order: start-first
        failure_action: rollback
        parallelism: 1
      restart_policy:
        condition: on-failure
      replicas: 1
      placement:
        constraints:
          - node.hostname == ingress.nixc.us
      labels:
        us.nixc.autodeploy: "true"
        traefik.enable: "false"
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "authelia", "-pauthelia"]
      start_period: 15s
      interval: 30s
      timeout: 10s
      retries: 3
    logging:
      driver: json-file
      options:
        max-size: 10m
        max-file: "3"